Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-14624

mnet can't setup a peer when a proxy is in use.

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.9, 2.0
    • Fix Version/s: 2.0.10
    • Component/s: MNet
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      The mnet code doesn't contain any checks for proxies. This is actually fairly easy to fix, as using curl through a proxy is used and (proven) in other places. It only requires the routine that scrapes the site title to use download_file_content() - which just works - and to modify the curl call that gets the SSO key to check for proxies - mainly by taking the code from the former function.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              howardsmiller Howard Miller added a comment -

              Should now be able to establish link with peer through a HTTP proxy. Mostly uses existing (hence tested hopefully) functions and code snippets.

              Show
              howardsmiller Howard Miller added a comment - Should now be able to establish link with peer through a HTTP proxy. Mostly uses existing (hence tested hopefully) functions and code snippets.
              Hide
              poltawski Dan Poltawski added a comment -

              Hi Howard,

              I am just wondering if this works?

              My vague memory was that thought that the mnet handshaking would check that the incoming request comes from the same ip address as dns resolves the host to. So using a proxy would cause that check to fail? (But also, if you are using a proxy and can't get out directly, how does the mnet peer verify who you are and chat back to you?)

              Show
              poltawski Dan Poltawski added a comment - Hi Howard, I am just wondering if this works? My vague memory was that thought that the mnet handshaking would check that the incoming request comes from the same ip address as dns resolves the host to. So using a proxy would cause that check to fail? (But also, if you are using a proxy and can't get out directly, how does the mnet peer verify who you are and chat back to you?)
              Hide
              howardsmiller Howard Miller added a comment -

              A very good point that I had not considered. However, it works perfectly from behind my Squid firewall. I can now connect to either Moodle or Mahara and I couldn't before. I'll have a bit more of think about it, and see if I can justify why it works though

              Show
              howardsmiller Howard Miller added a comment - A very good point that I had not considered. However, it works perfectly from behind my Squid firewall. I can now connect to either Moodle or Mahara and I couldn't before. I'll have a bit more of think about it, and see if I can justify why it works though
              Hide
              howardsmiller Howard Miller added a comment -

              Just checking - both Moodle sites report the IP address of the peer machine as it's actual IP address. The presence of the proxy doesn't seem to make any difference. I haven't checked the exact operation, but I guess that if the xmlrpc packet simply contains the originating host name then the IP still resolves correctly and it all works. As long as the path to "get back" is established (proxy or no) then you have a connection. I suppose this means that it doesn't check what the IP was that the request came from!

              Show
              howardsmiller Howard Miller added a comment - Just checking - both Moodle sites report the IP address of the peer machine as it's actual IP address. The presence of the proxy doesn't seem to make any difference. I haven't checked the exact operation, but I guess that if the xmlrpc packet simply contains the originating host name then the IP still resolves correctly and it all works. As long as the path to "get back" is established (proxy or no) then you have a connection. I suppose this means that it doesn't check what the IP was that the request came from!
              Hide
              skodak Petr Skoda added a comment -

              Please consider reverting this in MOODLE_19_STABLE - see MDL-14659

              Show
              skodak Petr Skoda added a comment - Please consider reverting this in MOODLE_19_STABLE - see MDL-14659
              Hide
              howardsmiller Howard Miller added a comment -

              This fix could cause problems, without resolving MDL-14659 so that proxies can be excluded for (typically) local addresses.

              Show
              howardsmiller Howard Miller added a comment - This fix could cause problems, without resolving MDL-14659 so that proxies can be excluded for (typically) local addresses.
              Hide
              howardsmiller Howard Miller added a comment -

              Changes reverted in 1.9. Will leave in HEAD and continue to resolve MDL-14659.

              Show
              howardsmiller Howard Miller added a comment - Changes reverted in 1.9. Will leave in HEAD and continue to resolve MDL-14659 .
              Hide
              howardsmiller Howard Miller added a comment -

              Fixed in HEAD only. MNET now uses Proxy settings if specified, but you can bypass it for specified domains if you so wish.

              Show
              howardsmiller Howard Miller added a comment - Fixed in HEAD only. MNET now uses Proxy settings if specified, but you can bypass it for specified domains if you so wish.
              Hide
              howardsmiller Howard Miller added a comment -

              Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why.

              This really needs that curl code to be put in the library, as the proxy code will be duplicated again and again.

              Show
              howardsmiller Howard Miller added a comment - Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why. This really needs that curl code to be put in the library, as the proxy code will be duplicated again and again.
              Hide
              mjollnir Penny Leach added a comment -

              Howard is this fixed?

              Show
              mjollnir Penny Leach added a comment - Howard is this fixed?
              Hide
              howardsmiller Howard Miller added a comment -

              Hi Penny,

              My recollection is that this needs some proper testing still. I'm happy to work on it but I won't have any time for (maybe) a few weeks.

              Howard

              Show
              howardsmiller Howard Miller added a comment - Hi Penny, My recollection is that this needs some proper testing still. I'm happy to work on it but I won't have any time for (maybe) a few weeks. Howard
              Hide
              mjollnir Penny Leach added a comment -

              ping?

              Show
              mjollnir Penny Leach added a comment - ping?
              Hide
              howardsmiller Howard Miller added a comment -

              Pung, but moving house this week. Soon!!! Need longer days and less need for sleep

              Show
              howardsmiller Howard Miller added a comment - Pung, but moving house this week. Soon!!! Need longer days and less need for sleep
              Hide
              mjollnir Penny Leach added a comment -

              ping again!

              (sorry to nag but it's my last moodle hq mnet week)

              Show
              mjollnir Penny Leach added a comment - ping again! (sorry to nag but it's my last moodle hq mnet week)
              Hide
              dougiamas Martin Dougiamas added a comment -

              Can I close this?

              Show
              dougiamas Martin Dougiamas added a comment - Can I close this?
              Hide
              mjollnir Penny Leach added a comment -

              Martin I think not - the comment from Howard which says:

              >> Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why.

              Makes me think it probably shouldn't be closed, and needs further testing.

              Show
              mjollnir Penny Leach added a comment - Martin I think not - the comment from Howard which says: >> Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why. Makes me think it probably shouldn't be closed, and needs further testing.
              Hide
              howardsmiller Howard Miller added a comment -

              Unless you/we are convinced this works correctly I would note that I never tested this exhaustively with all the possible combinations of inside/outside a proxy.

              Yes I know I should have done - hours/day issues again.

              Show
              howardsmiller Howard Miller added a comment - Unless you/we are convinced this works correctly I would note that I never tested this exhaustively with all the possible combinations of inside/outside a proxy. Yes I know I should have done - hours/day issues again.
              Hide
              nixahnung Jan Kristoffer Roth added a comment -

              Affects Version 2.5.2 too.
              My solution: add Proxy check under curl_setopt (line 374 in mnet/xmlrpc/client.php)

              // check for proxy
              if (!empty($CFG->proxyhost) and !is_proxybypass($uri)) {
              // SOCKS supported in PHP5 only
              if (!empty($CFG->proxytype) and ($CFG->proxytype == 'SOCKS5')) {
              if (defined('CURLPROXY_SOCKS5'))

              { curl_setopt($httprequest, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); }

              else

              { curl_close($httprequest); print_error( 'socksnotsupported','mnet' ); }

              }

              curl_setopt($httprequest, CURLOPT_HTTPPROXYTUNNEL, false);

              if (empty($CFG->proxyport))

              { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost); }

              else

              { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost.':'.$CFG->proxyport); }

              if (!empty($CFG->proxyuser) and !empty($CFG->proxypassword)) {
              curl_setopt($httprequest, CURLOPT_PROXYUSERPWD, $CFG->proxyuser.':'.$CFG->proxypassword);
              if (defined('CURLOPT_PROXYAUTH'))

              { // any proxy authentication if PHP 5.1 curl_setopt($httprequest, CURLOPT_PROXYAUTH, CURLAUTH_BASIC | CURLAUTH_NTLM); }

              }
              }

              Better Solution would be an single CURL Class (xmlrpc client) for all modules.

              BTW. in some cases (maybe php-versions) you need to add CURLOPT_HTTPHEADER -> Expect:

              Show
              nixahnung Jan Kristoffer Roth added a comment - Affects Version 2.5.2 too. My solution: add Proxy check under curl_setopt (line 374 in mnet/xmlrpc/client.php) // check for proxy if (!empty($CFG->proxyhost) and !is_proxybypass($uri)) { // SOCKS supported in PHP5 only if (!empty($CFG->proxytype) and ($CFG->proxytype == 'SOCKS5')) { if (defined('CURLPROXY_SOCKS5')) { curl_setopt($httprequest, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); } else { curl_close($httprequest); print_error( 'socksnotsupported','mnet' ); } } curl_setopt($httprequest, CURLOPT_HTTPPROXYTUNNEL, false); if (empty($CFG->proxyport)) { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost); } else { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost.':'.$CFG->proxyport); } if (!empty($CFG->proxyuser) and !empty($CFG->proxypassword)) { curl_setopt($httprequest, CURLOPT_PROXYUSERPWD, $CFG->proxyuser.':'.$CFG->proxypassword); if (defined('CURLOPT_PROXYAUTH')) { // any proxy authentication if PHP 5.1 curl_setopt($httprequest, CURLOPT_PROXYAUTH, CURLAUTH_BASIC | CURLAUTH_NTLM); } } } Better Solution would be an single CURL Class (xmlrpc client) for all modules. BTW. in some cases (maybe php-versions) you need to add CURLOPT_HTTPHEADER -> Expect:

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Fix Release Date:
                    9/Jul/12